Blog

Cybersecurity is essential for any business, but even more important for nonprofits that are handling not only monetary donations but also donors’ private information. With more than 80% of nonprofits lacking a strategy to deal with cyber attacks and 56% not enforcing multi-factor authentication (MFA), most nonprofits are leaving themselves vulnerable.^[1]

Cybersecurity Framework

The US National Institute of Standards and Technology (NIST) created a Cybersecurity Framework to help businesses manage cybersecurity risks. The framework is outlined in the five critical steps below and will help start the conversation to improve your organization’s security and reduce those risks.

1. Identifying and understanding which business assets attackers want is vital. A business would have difficulty operating without key personal data, making that information a high-value target for cyber criminals.

What You Can Do

• Create a detailed inventory list of data and physical assets and update it routinely.
• Know where and how data and technology are stored and who has access to both.

2. Learning how to protect those assets starts with employees knowing how to protect themselves and the business, as well as understanding the cyber risks as your business grows or adds new technologies or functions.

What You Can Do

• Keep your security software current by turning on automatic software updates.
• Enable multi-factor authentication to ensure only those with permission can access them.
• Back up data in the cloud or via separate hard drive storage, but make sure to only give access to the employees who require it to perform the core duties of their jobs.
• Employees should know not to open suspicious links in email, tweets, posts, online ads, messages or attachments – even if they think they know the source.

3. Alerts that detect when something has gone wrong can save your information. In cybersecurity, the faster you know about an incident, the faster you can mitigate the impact.

What You Can Do

• Reach out to local IT experts to explore the option of using a network monitoring service that helps to detect incidents. The availability of cybersecurity tools and services is growing. Some examples include:
  • StaySafeOnline
  • Microsoft's Security Program for Nonprofits
• Look out for unusual requests, attachments, or links both in-person and online. Be suspicious.

4. Responding quickly and having a recovery plan prior to an attack occurs is critical. We recommend practicing your incident response plan to mitigate an attack or incident and maintain business operations in the short term.

What You Can Do

• Disconnect the affected computer(s) from the network and connect with IT leadership (whether that’s internal to your organization or a third-party vendor), law enforcement and your legal representation.
• Have processes for operating by paper to keep the organization functioning if electronic records are unavailable.
• Familiarize yourself with your state’s data breach notification law.

5. The final step of making your business more cyber secure includes the recovery efforts after responding to a cyber-incident.

What You Can Do

• Document lessons learned.
• Make improvements to policies and procedures and communicate that to all parties involved.
• Establish continuing education opportunities–train your employees and yourself.

Banker’s Advice

Following the NIST’s Cybersecurity Framework is a great way to begin the process of securing your organization’s information, but here are a few things you can start doing now to decrease your risks:

• Freeze your credit! This is the best way to prevent identity theft for you, your family and your business
• Enable card controls
• Use secure messaging to communicate with your bank
• Set up a passphrase for telephone communications
• Turn MFA on for banking, social media, email, everything

Watch the full presentation here: